Using an alternative approach to traditional file hashing, digital forensic investigators can hash individually sampled subject drives on sector boundaries and then check these hashes against a prebuilt database, making it possible to process raw media without reference to the underlying file system.
Keywords: Ext4 File system forensics Digital forensics Extents Flex block groups a b s t r a c t This paper presents a low-level study and analysis of Ext4 file system data structures. It includes descriptions of extents, extent trees, directory indexing HTrees, and flex block groups. Currently, data about the file system is scattered with most sources… (More)
This paper describes a competition-style of exercise to teach system and network security and reinforce themes taught in class. The exercise, called NetSecLab, is conducted on a closed network with student-formed teams, each with their own Linux system to defend and from which to launch attacks. Students are expected to learn how to (1) install the… (More)
Ext4 has become the default file system on popular Linux distributions; this means that it will be the subject of digital forensic investigations. In this paper a brief overview of Ext4 is given followed by a discussion of how the differences between it and its predecessors affects file system forensics. The new file system presents some unique challenges… (More)
Even the most secure computing system can be successfully attacked by a sufficiently motivated entity. To investigate the means of entry, the victim machine will come under the scrutiny of forensic analysis tools. In this era where system compromises occur on a regular basis, the design and implementation of operating systems should consider the necessity… (More)
In this paper, we propose a method of measuring data persistence using the Ext4 journal. Digital Forensic tools and techniques are commonly used to extract data from media. A great deal of research has been dedicated to the recovery of deleted data, however, there is a lack of information on quantifying the chance that an investigator will be successful in… (More)
This paper presents preliminary findings on a novel method to remotely fingerprint a network of Cyber Physical Systems and demonstrates the ability to remotely infer the functionality of an Industrial Control System device. A monitoring node measures the target device's response to network requests and statistically analyzes the collected data to build and… (More)